How to call api directly with syscall? https://j00ru.vexillium.org/syscalls/nt/32/ - list
can you give some example?
Test it with a debugger. And explain what you need it for...
include \masm32\include\masm32rt.inc
uselib ntoskrnl
.code
start:
exit
call NtCreateFile
end start
__kernel_entry NTSYSCALLAPI NTSTATUS NtCreateFile(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
Hi morgot,
Nothing special. They are __stdcall functions. A small example :
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\ntdll.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\ntdll.lib
includelib \masm32\lib\masm32.lib
.data
str1 db 'Executable signature = %s',0
.data?
buffer db 16 dup(?)
.code
start:
invoke GetModuleHandle,0
invoke RtlImageNtHeader,eax
lea edx,IMAGE_NT_HEADERS.Signature[eax]
invoke wsprintf,ADDR buffer,\
ADDR str1,edx
invoke StdOut,ADDR buffer
invoke ExitProcess,0
END start
Syscall is not used in x86, it is only used in x64.
https://j00ru.vexillium.org/syscalls/nt/64/
Since nobody uses anymore x86 operating systems, here is an example for Windows 10 x64:
option casemap :None
includelib \masm32\lib64\kernel32.lib
ExitProcess proto :dword
includelib \masm32\lib64\msvcrt.lib
printf proto :ptr, :vararg
_SYSTEM_BASIC_INFORMATION struct 8
Reserved1 byte 24 dup (?)
Reserved2 qword 4 dup (?)
NumberOfProcessors sbyte ?
_SYSTEM_BASIC_INFORMATION ends
.data
format0 db "Number of processors: %d retlen: 0x%x retval: 0x%x",13,10,0
.code
main proc
LOCAL basicinfo : _SYSTEM_BASIC_INFORMATION
LOCAL retlen : qword
sub rsp, 28h
mov retlen,0
lea r9, retlen
mov r8, sizeof basicinfo
lea rdx, basicinfo
mov r10, 0
mov eax, 36h ; NtQuerySystemInformation. Windows 10 until 1903=0x0036, Windows 7=0x0033, Windows 8.1=0x0035
syscall
lea rcx, format0
mov dl, basicinfo.NumberOfProcessors
mov r8, retlen
mov r9d, eax
call printf
mov rcx,0
call ExitProcess
main endp
end
Output:
Number of processors: 12 retlen: 0x40 retval: 0x0
For Windows x86 operating systems we can use Sysenter (or int 2eh). The procedure is slighly different and is left here as an exercise for anyone to try, if they wish.